Classification- TOP SECRET//SI//REL TO USA, CAN, GBR 


Classification: TOP SECRET//SI//REL 1 


Remote exploit for iOS9 capable of running arbitrary payloads on 32- and 64-bit devices via Safari and Chrome. 

• POC for Safari on 64-bit devices brought along to TRICLOPS. 

• Ported POC to work with Safari on 32-bit devices. 

• Moved POC to fit in with ECHOEARTH framework, also enabling merge of 32- and 64-bit code paths. With 
the addition of ImageLoaderMegaDylib, the exported symbols offset was moved in 9beta3 for 64-bit 
devices, requiring the additional trieHasDylib and trieHasNode functions. 

• Used ROP stacks written for ECHOEARTH (iOS8 remote) to enable POC to work with Chrome (32- and 
64-bit devices). 

• Added detection of JIT prior to pulling remaining JS files, reducing equity retrieved by device. 

• Now uses _dlsym in libdyld instead of dyld_dlsym in Dyld by calling findExportedSymbols instead of 

using libcall execute - removes extra call stub execution. 

• Removed need for additional garbage collects by allocating array large enough to prevent butterflyAddress 
from being moved. 
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